CareFirst BlueCross BlueShield said one of its employees recently fell victim to a phishing attack that led to thousands of its members' personal information being exposed.
How many victims? CareFirst believes about 6,800 of its members may have been involved.
What type of information? Member names, identification numbers, dates of birth, and in limited cases (eight individuals) Social Security numbers. No medical or financial information was compromised.
What happened? CareFirst determined on 12 March that a staffer fell victim to a phishing scam that led to the compromise of the employee's email account. This account was then used to send emails to individuals not associated with CareFirst. Since the criminals had access to the email account, they could have gained access to member data, the company said.
What was the response? The phishing email has been analysed by CareFirst's and a third-party's security teams. CareFirst claims there is no evidence that the email contained malware and that no other suspicious activity was detected on the company's systems. There was also no sign that any data had been removed or accessed, but as an extra precautionary measure CareFirst will offer two years of free credit monitoring and identity theft protection to those affected. Potentially affected members will be contacted directly by CareFirst with information about enrolling in the protections being offered.
Quote: “CareFirst has a comprehensive information security program and employees must annually complete mandatory information security training. CareFirst conducts an ongoing security awareness program for employees through which employees are educated about cyber-attack tactics about which they must remain vigilant,” the company said in a statement.